Bitcoin 0.13.0: Binary Safety Warning Issued

Bitcoin.org have issued a safety warning alongside the release of the 0.13.0 software update. They warn of ‘state sponsored attackers’ that may be looking to disrupt the upgrade process. The Chinese Bitcoin community in particular has been asked to be extra vigilant in making sure they obtain the correct binaries.

The warning post then goes on to explain how to verify that the binary you obtain has the right signature and matches the key belonging to Bitcoin Core developer Wladimir J. van der Laan. You can find Vladimir’s Bitcoin Core 0.13.0 release announced on the Bitcoin mailing list here.

A discussion ensued on Reddit following the warning with over 200 comments ranging from conspiracy theory to the banal:

Verification and Key Signing

Verifying digital signatures is a must for all sensitive software and a tasks that many experienced developers are not well versed in. Qubes OS, an operating system developed to offer more control to the user offer a detailed guide on Digital Signatures and Key Verification. The Tails project, a portable operating system for accessing and communicating through the Tor network, also offers guidance on Downloading and Verifying using OpenPGP.

An increasing number of nodes have upgraded their software and are now running v0.13.0, as can be seen on Bitnodes.

To anyone running an implementation of the Bitcoin software, checking a GPG signature should be considered more than a best practice, it should be considered a requirement. We can only hope these warnings issued by the developers fall on well seasoned deaf ears.